Cyber Resilience

CVE-2026-41505

High

Published: 07 May 2026

Published
07 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0026 17.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41505 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1606 Forge Web Credentials Credential Access
Adversaries may forge credential materials that can be used to gain access to web applications or Internet services.
Why these techniques?

Predictable token generation in authentication functions directly enables forging valid sign-in keys/tickets for unauthorized web app access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-58041Shared CWE-338
CVE-2025-40905Shared CWE-338
CVE-2025-66630Shared CWE-338
CVE-2024-40762Shared CWE-338
CVE-2026-33710Shared CWE-330
CVE-2026-27637Shared CWE-330
CVE-2021-26091Shared CWE-338
CVE-2026-25726Shared CWE-338
CVE-2026-25072Shared CWE-330
CVE-2025-68704Shared CWE-330

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-330 CWE-338

Key generation under controlled management uses approved random-bit sources rather than insufficiently random values.

addresses: CWE-338

Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.

References